Storing email and password on device is not secure and should be avoided especially for sensitive apps like banking. When working on front-end its best to assume that all stored data may be exposed.

The only secure way I found is storing refresh token(long-lived token) in encrypted format instead of password which will then be passed to the server on successful biometric authentication and return an access token.

You also need to handle the case where the refresh token itself expires in which case the user will need to login with his credentials again. You can also have an API call for verifying the long-lived token every time the app opens with a message in case of false response like "session has expired login again with credentials".